* Posts by cbars

473 posts • joined 11 Jun 2013

Page:

Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

cbars Silver badge

Re-inventing the tools to make a wheel

The website is the car in this analogy, we know its useful and its serves many purposes. To build the car we need some way to send and receive data, style it, and get user input... etc

This stuff all exists, and has done for a long time. You can hand crank HTML etc and what you get is rock solid. All these libraries do is change the way you build your wheel, your axle. Yes it seems faster but you trade stability/maintanability/security/performance and simplicity for development speed alone...

I honestly am not advocating hand cranking code, but the trade offs need to be made only in appropriate places, not "use this 1 framework to solve all your problems". You're building a car, so it makes sense to reuse the frame of another manufacturer, but other than that its best to just do it yourself.

Its not innovation to reinvent the tools to build the wheel, it's procrastination; and besides, using different tools every time you build a car is upsettingly inefficient

Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

cbars Silver badge

Re: The law is fine and doesn't need changing

Yes, but this isn't just people lobbying. If you were an infosec company, wouldn't it be nice to be able to cold call and say "hey, you've got a problem you need someone to fix... FYI we fix this stuff..."

Thats where this is coming from. Also, another avenue for giving the plod a pass on creepy powers, while dressing it up as security, so home sec will love the idea of reform.

Sorry to drone on and on but have you heard of Ingenuity? NASA's camera-copter is ready to head off to Mars

cbars Silver badge

Finally

They can scout over the top of poor old Beagle 2, blow the dust off and get those final panels winched up!

Extraterrestrial maintenence drones for the win!

Maybe there is hope for 2020: AI that 'predicts criminality' from faces with '80% accuracy, no bias' gets in the sea

cbars Silver badge
Coffee/keyboard

Re: Very dodgy subject

Ha, good one: Mormon/Jehovah's Witnesses are *not* fraudsters!

cbars Silver badge

Re: Very dodgy subject

I'd say you're able to tell when (most people) are forcing an expression, and it doesn't look right - so there goes the alarm. I bet there are some damn good fakers that would pass mustard, but that's the arms race I guess.

Although I've also had the same when in foreign countries and I haven't learned the cues from childhood so I don't think this intuition is anything to be relied on, quite the contrary.

Also, if someone is (or appears to be) either well above or well below you in a social hierarchy, that may trigger a fight or flight response, in my opinion.

Whether those responses are justified is case by case, of course. This research is a joke.

Boffins find that over nine out of ten 'ethical' hackers are being a bit naughty when it comes to cloud services

cbars Silver badge

Re: It is happening now

now you need physical operational security expertise AND virtual; I'm not sure I prefer the attack surface, even if it's cool in movies. Although I heard you can beat forensics by using bleach, so just pour bleach all over the RPi and you're good to go!

cbars Silver badge

Re: It is happening now

Really? All you need is a predictable log message that says "access denied" with an IP address, you can set up custom patterns for any file to isolate the IP and it'll drop those packets once you hit whatever limit you configure, I think its about 10 lines in 3 files to do this

cbars Silver badge

Re: It is happening now

This is a wet dream. The idea thats its better to *physically* link yourself to a mark? A decent copper would pick you up in no time, let alone if they got forensics involved.

Ex-barrister reckons he has a privacy-preserving solution to Britain's smut ban plans

cbars Silver badge

Re: "Just as I don't really understand my car, I just drive it."

Kitchen tap, fridge, self service checkout, electric toothbrush, light bulb, cordless drill, those little labels on apples.....

Car was easier, but anything will do ;)

(Can't restrain myself.... the way you hold your iPhone!)

cbars Silver badge

Re: Mind of a teenager

No. It isn't on "most people" to fully understand their computers. Just as I don't really understand my car, I just drive it.

The government should not create risks for citizens, it should reduce them up to whatever freedom is desired by the populace. If the government passed a law to say that brake pads should be made of gold ( or whatever ), and then my brake pads got predictably nicked - I'd be worse off for lots of reasons, and I don't have the wherewithal to work out how to secure my brake pads. Its not on me, its on that stupid brake pad law.

Young people are pretty good at these computer things, and if you want to know how to get admin rights on a machine you have physical access to, its just a search away...

'Work pressure' sees Maze ransomware gang demand payoff from wrong company

cbars Silver badge

Pricks

Splunk to junk masters and slaves once a committee figures out replacements

cbars Silver badge

Re: Male and female connectors..

nah, that one is safe. Those idiots think its a sin, not offensive.

We can probably all find something we deem as too offensive to include, for example a named reference to "your mother": but we can't all agree on where the line is that the offense is so uncommon as to make any effort exerted on considering whether to remove it a wasted effort. That line is subjective, and yes it will change over time - but hey, got to keep changing stuff or we'll all be out of jobs!

cbars Silver badge

Re: Where will this end....

Thats religion. They always want you prone for something.

GitHub to replace master with main across its services

cbars Silver badge

Re: Let's go through this point by point

r.e. chalk board - are you sure its not actually because modern chalk boards are quite often green, so calling them black didn't make sense as a general term?

cbars Silver badge

Re: Let's go through this point by point

@anon: It wasn't just one statue, the man was a philanthropist and *many* things in that part of the world are named after him.

Are you saying we shouldn't be renaming all the Colston monuments/buildings and organisations that still bear his name, because the word Colston isn't directly offensive?

Ah, its the association that's relevant, gotcha.

ZFS co-creator boots 'slave' out of OpenZFS codebase, says 'casual use' of term is 'unnecessary reference to a painful experience'

cbars Silver badge

Good, I meant it pejoratively, to indicate that the opinion stated was immature and unsophisticated ( that words should have no emotional impact ). I mean no disrespect to the individual, just the sentiment

cbars Silver badge

The guy says he doesnt want to use this word as its applying an objectional human relationship to an abstract concept between software components.

The response is that he is wrong because he has looked around at society and made a judgement call to respond to other peoples emotions (nobody told him to do this, I reject that part of the argument). If that is the argument, I will exit here, as that would be saying you should never act based on empathy...

If your argument is that he shouldn't need to spend the effort because the word is "correct", then the only response is: yes, the word can be contextually interpreted to describe how two abstract constructs interact, but there are lots of words and the fact that you have an opinion on someone else's code base nomenclature justifies his decision.

In my own code, I could use "bastard" for background threads, instead of "child". I could use "asexual spawn", but it doesn't matter, its an abstract construct and the name I use is only meaningful to humans reading the source, so I won't go with "bastard", or "my partner talks too much", because I'm aware that other people subjectively interpret words and my own opinion is not the only relevant variable.

cbars Silver badge

missed edit: to be clear, responding with fear or getting upset by words is natural - most ancestors who didn't respond that way likely either fell off cliffs or got eaten, so its well baked in.

Don't be proud that your emotional response doesnt match others around you - the lack of empathy is more of a weakness than (perceived) lack of rationality as it increases the risk of being ostracised.

cbars Silver badge

"MERE words"

Are you a child?. Words are how humans pass knowledge from one generation to the next (or further!), they are without a doubt our greatest power, and by definition they carry meaning.

Associating meaningful words - incorrectly - spreads incorrect ideas - which is what annoys people about politicians. Go and argue with Chinese sensors and tell them words have no impact, that they need a backbone. Go and tell victims of extremist religions, or go and stand in downtown {insert metropolitan US city} and argue about the n word.

Taking offense is *taking*, so you can't always avoid inadvertently providing it, but you don't wander about wanking in peoples faces (I hope), because somebody taught you that is not acceptable - and they probably didn't need to show you, they just used words.

In Hancock's half-hour, Dido Harding offers hollow laughs: Cake distracts test-and-trace boss at UK COVID-19 briefing

cbars Silver badge

We have to *really* be fucked in order to swallow what the US will offer, post Brexit. This will do nicely and we'll not be allowed to compare with what we had, because you can't blame them for a global pandemic.... that is my bet, and the economy nosediving faster and harder than 2008 seems to be lining us up for it

Brit council tosses Serco a £50m contract extension as coronavirus pandemic leaves in-sourcing plans in tatters

cbars Silver badge
Trollface

If it wasn't for C-19

I'm sure they'd have had that little lot implemented right on time!

With months to go, no doubt all alternative systems are implemented, data migration plans in place and validated, and its once the redeployed staff are back they will be able to press "go-live" without issue.

Although... to make it worth an additional outlay of £50million, perhaps I'm wrong...?

Play stupid games, win stupid prizes: UK man gets 3 years for torching 4G phone mast over 5G fears

cbars Silver badge
Facepalm

Re: @andyFI

Amaaaazing!!!! Resonance!? Well, my god, you're right!!!

How could we have been so blind?

*shouts over shoulder*

You guys, we forgot resonance!

Asbestos, CFCs (which...you've....misspelled....)... don't forget knives, we now know knives kill people too, even though "ug" said they didn't - see, another controversy *proving* that "scientists" are stupid idiots whose theories get disproved radically and in the complete opposite direction, all the time.

cbars Silver badge

Re: 3 years for a terrorist offence ?

Science doesn't deal in facts, buddy, that's the domain of belief systems... but it's arguably the best invention humanity has ever made.

I both guarantee someone will die if things carry on this way, and also if they don't carry on this way.

Finally, I disagree with your premise (belief) that nothing is worth a human life; I believe some are worth more than others, and certainly some are worth more *to* others. (Thought experiment, is it worth bankrupting a country to help an 80 year old rapist live in prison for another 2 months... no? OK, so now we can argue about where the line is on a case by case basis)

Anyway, back to the point: my honest, unbiased opinion is that you are either too tired, drunk, or uneducated to be here - as without addressing the merits of your argument it appears that your understanding of what science actually is, and how society judges value, is either misarticulated or lacking entirely.

Repair store faces hefty legal bill after losing David and Goliath fight with Apple over replacement iPhone screens

cbars Silver badge

Re: Worse than expected, but that's just a detail @AC

I think people who make this argument forget a bit... so: as a rational, resource orientated mammal, you would expect this. But you forget status. Cutting to my point, no one gives a shit, the fact that its expensive drives the brand, and consumers don't make a comparison between the grassy Hill and the grassy Hill: that hill is better. That is not being enamoured, that's calculated.

Yes, its bad for companies to exploit this human behaviour.

Amateur astroboffins spot young brown dwarf playing with planet-forming hula hoop just 102 parsecs from Earth

cbars Silver badge
Paris Hilton

Re: Nice artists impression.

196.2 Hiltons ;)

One of the only ones I can remember, but for the rest:

https://www.theregister.com/Design/page/reg-standards-converter.html

cbars Silver badge

Re: Nice artists impression.

Come on: S.I. or El Reg units only for science stuff, please, none of this 18th century hand waving.

Creeps give away money to harass recipients with abusive transaction descriptions on bank statements

cbars Silver badge

Re: One solution...

An escrow service either removes a useful feature for everyone, or requires self identification of victims (and from your second comment it appears you expect this prior to harrassment?). Typically these people are reluctant to make a fuss, either because of fear or sheer timidity. I didn't down vote, but one final point, its hiding the problem not solving it

cbars Silver badge

Re: One solution...

The whole point of these is so you can keep track of why the money is going in. If I'm paying my mate for some concert tickets, and petrol money, then he's passing some back as I got the beers in - its a lot easier to keep track of the meaning attached, than to maintain a seperate transaction tracker and then cross reference by amounts. Even if that transaction tracker is your head, the meaning of words is more useful than numbers in this case.

Perhaps a mechanism in place to report (or even block) these from specific accounts, rather than annonomise, wold work? Then I can send my mate money for "Fridays beers" (or his "boob job"), but a victim can have redacted messages, keep the money, and have physical evidence for the plod to back up a tricky to prove crime

Office supplies biz owned by UK council shrugs off ransomware demand for 102 Bitcoin

cbars Silver badge

Backups

We're always talking about backups, but this raises an interesting thought for me. Wouldn't it be sensible to set up an entirely unrelated emergency domain (or Gmail account, yes) which you specify in your contracts as an authoritative secondary, from a business perspective...?

I'm sure its not simple to recover a business without usable backups for all systems, but if you can continue to communicate and trade its got to be easier.

Publishers sue to shut down books-for-all Internet Archive for 'willful digital piracy on an industrial scale'

cbars Silver badge

Unusually

Sometimes copyright is painfully and incorrectly applied as a money grab. I don't think that's the case here and I'm with the big publishing houses on this one. Libraries will eventually buy more copies of the books as they wear out, and not all books are available in all libraries.

They have to protect their claim and this is a real infringement. You should have to pay while a copyright is held, but I would add that in my opinion copyright should not extend beyond a human lifetime.

After 30 years of searching, astroboffins finally detect the universe's 'missing matter' – using fast radio bursts

cbars Silver badge

No, these come from different observations. This article was about finding the mass which is predicted by the model which has been built from looking "back in time" at the CMB + expansion etc to work out how many particles there used to be in a certain volume of space (and therefore still should be in a bigger volume thanks to expansion and explosion).

The Dark matter and energy stuff is measured using the measurements taken from movements of stars around galaxies and intra galaxy movements, etc which correlate with *higher still* mass than what we can see by counting stars and black holes etc

(This is vastly smaller than the error bars on measured star mass, the gap between what we see and what we need to explain it is humungous, this doesn't touch the sides)

Disclaimer: its been a long time since I learned this sort of stuff so I've probably muddled some bits up here.

Guess who came thiiis close to signing off a €102k annual budget? Austria. Someone omitted 'figures in millions'

cbars Silver badge
Facepalm

Do I need to point out what is wrong with this reference...?

Record-breaking Aussie boffins send 44.2 terabits a second screaming down 75km of fiber from single chip

cbars Silver badge
Pint

My hat is off!

Wanna force granny to take down that family photo from the internet? No problem. Europe's GDPR to the rescue

cbars Silver badge

Re: GDPR is a joke....

In the UK, it would be possible to obtain a list of all the companies registered for trade, from companies house. You could then write to each and every one and demand they send you what information they have collected on you.

This would mean providing some identifiable information to all these, but I'm not sure how you want this to work... Do you want every company that gets your information to tell you that they have it? Not unreasonable but also sounds like a lot of unwanted Spam. How often should they remind you? How do they contact you if they have your previous address but you've moved?

We could create a central database that's always up to date, which holds all the personal information ever collected on all citizens, then we can be sure it's always up to state - ahem, date - and know what is being held.

Rust marks five years since its 1.0 release: The long and winding road actually works

cbars Silver badge

Re: On speed

Could be right, my understanding was that there was a very small runtime with Rust (as with C) and have seen references to it around Trait implementations, array bounds checking, memory ('dropping') etc - but might need to switch to a rust forum for detailed information on whether that is actually different/bigger to what comes out of C for trivial cases. Overall I would recommend it purely for safety, and if any performance sacrifice exists, meh.

Yes, almost all benefits are realised at compile time but it's all assembly somewhere, and C doesnt check that stuff it just does it...

cbars Silver badge

Re: On speed

I know what the word "multiplication" means but the rest of that went whistling over my head.... I believe you!!

Post-search edit: Oh Jeez, I did learn this at Uni, a long time ago, I have forgotten *a lot*

cbars Silver badge

Re: On speed

Sounds veeery slow, but in general Rust program speed will be very very close (but slower) than C 1) As there are additional runtime checks that do occur for some operations, 2) precisely because C will let you do weird and wonderful things with your memory etc. A properly written C library will get you there the fastest, but if that doesnt exist and you want to write one, it's probably *safer* in rust.

As you say, the most likely path to success will be changing your algorithm, rather than the same one written in another language. As a mathematician you're probably the most qualified to say, but I'd try to work out if you can get any of your computations done in parallel, then you can use multi threading to physically crank the numbers with less elapsed real world time.

cbars Silver badge

Not trying to have an argument, but this is a bit sweeping and slightly unfair IMO, just to provide my view:

1. At compile time, not run time, so doesnt allow ambiguity or undefined inference, I dont think that's a weakening

2. English is the best and all programmers should know it...? I will take symbols with good documentation and I dont care what symbols (ASCII or not) we're using

3. Fair enough, but it does provide backward compatibility, the only other option is breaking changes which I would frown upon (or not? Not sure it's the only option, just all I can think of if the language is to add features)

4. "Obvious" is subjective

5. https://doc.rust-lang.org/stable/book/ch17-03-oo-design-patterns.html

As far as I can see, its incorporated pretty good things from multiple paradigms. Only thing missing from OOP is inheritance, which *is* nice to use, but default Traits provide a similar ish behaviour

cbars Silver badge

Re: Meh

Fair enough Dan 55, but I was really just talking about the general case of making mistakes. As I said: I'm an idiot who types things that are not correct, don't let me get away with it - thanks!

cbars Silver badge

Re: Meh

Having been burned by other peoples thread safety failures, and irritated beyond belief by Java pop ups for null pointer exceptions in "enterprise" software, I was over the moon to hear of rust. I've now been learning/using it for a year. I *like* the DO NOT PASS GO borrow checker, it's precisely what programming languages *should be*, a tool that prevents the user (wave) from wacking their own thumb. I like to do things the 'correct' way, and take pride in my work, but sometimes I'm tired or distracted and type something incorrectly (ah, shit, I meant == not = in that if statement....), and I can't bloody get away with it! I *do* prefer that my code doesnt run if it's incorrect. Let hardware drivers do weird and wonderful ("unsafe") things, test them properly, and allow application developers to build useful stuff on top without tearing big security holes in the machine... yes please.

I am not surprised at all that people get carried away

Cyber attack against UK power grid middleman Elexon sparks in-house IT recovery efforts

cbars Silver badge

Re: What ?

Cool cool cool, how long should I keep the backups to avoid getting shot? Just, you know, so I can make sure there is no way ransomware is decrypting files on the fly to corrupt said backups?

I disagree that victim blaming is the moral high ground...

What is required, in my opinion, is actually legally enforced engineering standards, like other disciplines. Want to sell software in the UK? Fine, but you had better get accredited and prove that your sexy/disruptive design complies to the latest safety standards. Is this a perfect system, no. Is it fast, no. Is it expensive, yes. But for the most part buildings are not collapsing on people; it would be nice if we could trust software to the same degree and let companies do business instead of wrapping other people's code in layers of redundancy to cover up that nasty industry-pervasive smell of negligence.

*Then* we can start requiring businesses to use the tools safely, just as with everything else, mandated licenses and insurance etc. Would you get angry at a business for not renting two buildings, employing twice as many staff as required and running failure drills to a secondary office in case the first one burns down or collapses on its employees.... hopefully not. I just expect them to have insurance as it's so unlikely. Anyway, sorry, I rambled on there, well done if you're still reading! Yes, backups are essential business practice if you've got your head screwed on, but I can dream - and let's try not to shoot people after they've been mugged.

You can't have it both ways: Anti-coronavirus masks may thwart our creepy face-recog cameras, London cops admit

cbars Silver badge
Holmes

He'd lose voters because it's "Un-American" to not give a shit about anyone other than yourself...? Nope, this checks out, carry on

'iOS security is f**ked' says exploit broker Zerodium: Prices crash for taking a bite out of Apple's core tech

cbars Silver badge

Re: "Zerodium said for the first time that it would pay more for flaws in Android"

Think Anon was either saying they think updraft102 and I are the same person and I'm using that account to defend my delicate ego, or that some weirdo hated my comment so much they used multiple accounts to down vote it... for 1) it's easy to click on the usernames and convince yourself we are not, for 2) I doubt it, but good... note the troll face icon!

cbars Silver badge
Trollface

Re: "Zerodium said for the first time that it would pay more for flaws in Android"

60 years of old fashioned shite! Thank god Pottering stepped up and is knocking all that stone age crap into the dust with the cool new way of doing stuff.

Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows

cbars Silver badge

Yea... just because an application includes a component with a CVE, it isn't de facto exploitable. For the most part though, you should clean house. The classic response to this suggestion is if someone is inside your firewall and accessing the application then you have bigger things to worry about. I'm not saying that is a good response, mind, but it explains these findings.

Facebook-for-suits puts on a fresh jacket. 'Classic' Yammer is so 2018. Behold, a public preview of 'New' Yammer

cbars Silver badge

Re: Linked-In is already bad enough

Wow, I'm excited about your workplace / productive-tool, let me know where I can find the white paper!

Hey, also, you look like a perfect fit for this exciting new role in your area, PM me if you want to know more and send me your CV and phone number and we can chat!

Aces, great day!

One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch

cbars Silver badge

Re: Bug number

Might be different thresholds there. All CRs getting a number, for example, as within Samsung that's potentially a security hole so needs tracking. CVEs though, by definition, are bad flaws.

FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

cbars Silver badge

Re: @cbars -- It's the microphone, not the browser

Hello @Someone Else

"how did you get to be so important?". While I'm flattered, I dont think I'm all that important... I do read and use my brain before corresponding with people though.

I was responding to @Snake:

"there has never been a good reason to allow my browser access to the microphone"

Re-read my post. You only need to have one occasion to use the mic for it to be a good reason.

Brush that chip off your shoulder and stop projecting your inferiority complex on to strangers on the internet, then have a lovely weekend and enjoy some outdoor time

cbars Silver badge

Re: It's the microphone, not the browser

Not using your browser for things like Conference calling then. Either allow the browser, or install a multitude of apps based on customer whims.

Go on, hit Reply All. We dare you. We double dare you. Because Office 365 will defeat your server-slamming ways

cbars Silver badge

It's not possible to set up arbitrary email accounts in exchange server...? You know..... for testing...?

I suppose a lack of knowledge such as what the word "test" means would be career defining

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020